Browsers Hit by Spoofing Issue

Friday, August 19, 2016 @ 01:08 PM gHale

If you are a Firefox or Chrome user, you should update your browser and if you have any others you should update as soon as there is a new version because there is a way to defeat browser security features and spoof URLs in the address bar using an easy ploy.

The problem relies on how the browsers align URLs written with mixed RTL (Arabic) and LTR (Roman) characters, said researcher Rafay Baloch, who discovered the flaw and earned $5,000 from Google. So far, Google and Mozilla fixed the issue and others are working on it.

Several browsers can get confused and end up switching parts of the URL, tricking the user into thinking they’re accessing a different site than the one they’re really on, Baloch said.

For example, in Chrome, this bug takes a URL in the form of 158.10.230.11/ا/http://google.com and switches it around the Arabic “ا” character like this: http://google.com/ا/158.10.230.11.

A hacker running a phishing site can take the server’s IP, add one of few Arabic characters that trigger this behavior in the middle of the URL construction, and append the domain of a legitimate website at the end.

They can then embed this URL in spam email, SMS, or IM messages, and when the user clicks on it, they’ll end up on a page that shows a URL starting with a valid domain, but in reality, they’d be on the attacker’s server.

“The IP address part can be easily hided [sic] specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/… /127.0.0.1) in order to make the attack look more realistic,” Baloch said in a blog post.

The same issue ended up fixed in Firefox (CVE-2016-5267), but with a slightly different exploitation scenario since Mozilla uses a different codebase from Google.

For Mozilla, the attackers had to use Arabic characters for the malicious URL. When accessing the link, the browser would display it in reverse.

As a result of this vulnerability, users should update their browsers as soon as possible.